The Complexity of Managing Medical Device Security Risk
Phil Englert of Health-ISAC on the Challenges of Extreme Device Diversity
Marianne Kolbasuk McGee (HealthInfoSec) August 19, 2022
The tens of thousands of very specialized types of medical devices used in clinical settings contain multitudes of diverse architectures and systems. That myriad of technical specifications adds to the complexity healthcare organizations and manufacturers face in managing cybersecurity risk, says Phil Englert, director of medical device security at the Health Information Sharing and Analysis Center.
“It’s very difficult for organizations to understand and quantify where the risks lie, how to put programs in place and how to approach this,” he says.
But those challenges are not faced only by the healthcare entities that use these devices, he says.
“It’s also the manufacturers themselves – especially the large ones that have multiple product lines that are distinctively different from each other. It’s difficult to say, ‘This set of controls will work ubiquitously across these technologies,'” he says.
“That diversity is really the challenge for the industry as a whole,” he says. “Being able to segment those challenges into manageable chunks and identify the similarities that can be managed with the same sorts of solutions … is the key to moving forward.”
In the interview (see audio link below photo), Englert also discusses:
- Why legacy medical device cybersecurity challenges are especially difficult;
- Steps healthcare organizations should consider taking to help improve security risk management and incident response involving medical devices;
- His long career in medical device cybersecurity leading him to recently join H-ISAC in a brand-new position to help enhance and expand the organization’s focus on information sharing and collaboration in the healthcare sector related to medical device security.
Link to full article and interview audio:
Englert has over 30 years of technical and operational leadership experience in healthcare and life sciences. He was most recently the chief product officer for MedSec, a cybersecurity consulting and services firm that focuses on hospitals and medical device manufacturers. Prior to that, he served as global leader for medical device cybersecurity at Deloitte, where he led client engagements developing medical device security programs.
- Related Resources & News
- Potential Terror Threat Targeted at Health Sector – AHA & Health-ISAC Joint Threat Bulletin
- New Cybersecurity Policies Could Protect Patient Health Data
- CyberWire Podcast: PHP flaw sparks global attack wave
- Health-ISAC Hacking Healthcare 3-14-2025
- HSCC Aiming to Identify Healthcare Workflow Chokepoints
- New Healthcare Security Benchmark Highlights Key Investment Priorities and Risks
- Are Efforts to Help Secure Rural Hospitals Doing Any Good?
- CISA cuts $10 million annually from ISAC funding for states amid wider cyber cuts
- 2024 Health-ISAC Discussion Based Exercise Series After-Action Report
- Cobalt Strike takedown effort cuts cracked versions by 80%